I know what you mean. The original nature of SMTP and IBM’s choice of words in it’s configuration makes for a confusing situation.

Without getting too far down the rabbit hole, here is one way to explain further:
SMTP Inbound can be anonymous or authenticated.

Most all SMTP connections are “anonymous.” That isn’t to say that we can’t or don’t know where they come from. It only means that I am allowing your SMTP server to connect to mine without a user name and password. “You might not know me, but I have some mail that I want you to have.” It is then up to my server to determine what happens after this handshake.

The core ability for an Anonymous connection to relay SMTP is controlled via a Configuration document. A popular method is to set Router/SMTP > Restrictions and Controls > SMTP Inbound Controls > Inbound Relay Controls > Deny messages to be sent to the following external internet domains = *
“I’ll only accept your message if it is addressed to a domain that I’m supposed to handle.”

However, Domino’s default settings would still allow an account (Name & Password) to use SMTP AUTH to circumvent the Anonymous relay controls set above.
“I’m John Smith, here is the password you issued me to prove my identity, now you MUST take this message from me.”

By setting the fields associated with SMTP AUTH to “No” the SMTP AUTH feature is disabled. Now I’m saying that the ONLY way you are going to get a chance to relay mail will be determined by my “Anonymous” relay settings. Attempting to provide a name and password is enough for me to deny your connection to this port. Even a correctly guessed (i.e. hacked) name and password will not be allowed SMTP Relay and my server will be saved the further cycles of trying to validate the attempt.

No worries. In a perfect world IBM would extend the functionality of the Internet Lockout feature so that the IP of offending SMTP AUTH attempts could be blocked after a specified number of failed attempts.